Composite-order bilinear groups provide many structural features that have proved useful for both constructing cryptographic primitives and as a technique in security reductions. Despite these convenient features, however, composite-order bilinear groups are less desirable than prime-order bilinear groups for reasons of efficiency. A recent line of work has therefore focused on translating these structural features from the composite-order to the prime-order setting; much of this work focused on two such features, projecting and canceling, in isolation, but a recent result due to Seo and Cheon showed that both features can be obtained simultaneously in the prime-order setting.

In this paper, we reinterpret the construction of Seo and Cheon in the context of dual pairing vector spaces, a tool previously used to simulate other desirable features of composite-order groups in the prime-order setting. In this way, we are able to obtain a unified framework that simulates all of the known composite-order features in the prime-order setting. We demonstrate the strength of this framework by showing that the addition of even a weak form of projecting on top of the pre-existing uses of dual pairing vector spaces can be leveraged to \"boost\" a fully IND-CPA secure identity-based encryption scheme to one that is fully IND-CCA1 secure.

CLEFIA is a 128-bit block cipher proposed by Sony Corporation in 2007. Our paper introduces a new chosen text attack, impossible differential-linear attack, on iterated cryptosystems. The attack is efficient for full-round CLEFIA without whitening keys. In the paper, we construct a 14-round impossible differential distinguisher. Based on the distinguisher, we present an effective attack on full-round CLEFIA-128 with data complexity of $2^{126.52}$, recovering 91-bit subkeys in total. Besides, the results of 15/16/17-round CLEFIA-128 are given in the Appendix B/C/D. Our attack can also applied to CLEFIA-192 and CLEFIA-256.

Few days ago Grigoriev and Shpilrain have proposed to build a system for transmission of information without a shared secret, or essentially a sort of public key cryptosystem, based on properties of physical systems.

In this paper we show that their second scheme based on capacitors is insecure and extremely easy to break in practice.

The generation of high quality random numbers is crucial to many cryptographic applications, including cryptographic protocols, secret of keys, nonces or salts. Their values must contain enough randomness to be unpredictable to attackers. Pseudo-random number generators require initial data with high entropy as a seed to produce a large stream of high quality random data. Yet, despite the importance of randomness, proper high quality random number generation is often ignored. Primarily embedded devices often suffer from weak random number generators. In this work, we focus on identifying and evaluating SRAM in commercial off-the-shelf microcontrollers as an entropy source for PRNG seeding. We measure and evaluate the SRAM start-up patterns of two popular types of microcontrollers, a STMicroelectronics STM32F100R8 and a Microchip PIC16F1825. We also present an efficient software-only architecture for secure PRNG seeding. After analyzing over 1 000 000 measurements in total, we conclude that of these two devices, the PIC16F1825 cannot be used to securely seed a PRNG. The STM32F100R8, however, has the ability to generate very strong seeds from the noise in its SRAM start-up pattern. These seeds can then be used to ensure a PRNG generates high quality data.

Leakage-resilient cryptography aims at developing new algorithms for which physical security against side-channel attacks can be formally analyzed. Following the work of Dziembowski and Pietrzak at FOCS 2008, several symmetric cryptographic primitives have been investigated in this setting. Most of them can be instantiated with a block cipher as underlying component. Such an approach naturally raises the question whether certain block ciphers are better suited for this purpose. In order to answer this question, we consider a leakage-resilient re-keying function, and evaluate its security at different abstraction levels. That is, we study possible attacks exploiting specific features of the algorithmic description, hardware architecture and physical implementation of this construction. These evaluations lead to two main outcomes. First, we complement previous works on leakage-resilient cryptography and further specify the conditions under which they actually provide physical security. Second, we take advantage of our analysis to extract new design principles for block ciphers to be used in leakage-resilient primitives. While our investigations focus on side-channel attacks in the first place, we hope these new design principles will trigger the interest of symmetric cryptographers to design new block ciphers combining good properties for secure implementations and security against black box (mathematical) cryptanalysis.

In this paper we show how some recent ideas regarding the discrete logarithm problem (DLP) in finite fields of small characteristic may be applied to compute logarithms in some very large fields extremely efficiently. In particular, we demonstrate a practical DLP break in the finite field of $2^{6120}$ elements, using just a single core-month.

We present a framework for constructing compact FHE (fully homomorphic encryption) which is circuit-private in the malicious setting. That is, even if both maliciously formed public key and cyphertext are used, encrypted outputs only reveal the evaluation of the circuit on some well-formed input $x^*$.

Previous literature on FHE only considered semi-honset circuit privacy.

Circuit-private FHE schemes have direct applications to computing on encrypted data. In that setting, one party (a receiver) holding an input $x$ wishes to learn the evaluation of a circuit $C$ held by another party (a sender). The goal is to make receiver\'s work sublinear (and ideally independent) of $\\mathcal{C}$, using a 2-message protocol.

Maliciously circuit-private FHE immediately gives rise to such a protocol which is secure against malicious receivers.

to. Gordon et al. (Asiacrypt 2010) suggested the first realization of group signatures based on lattice assumptions in the random oracle model. A significant drawback of their scheme is its linear signature size in the cardinality $N$ of the group. A recent extension proposed by Camenisch et al. (SCN 2012) suffers from the same overhead. In this paper, we describe the first lattice-based group signature schemes where the signature and public key sizes are essentially logarithmic in $N$ (for any fixed security level). Our basic construction only satisfies a relaxed definition of anonymity (just like the Gordon et al. system) but readily extends into a fully anonymous group signature (i.e., that resists adversaries equipped with a signature opening

This memo describes new cryptographic weakness of the passkey-based pairing of Bluetooth Low Energy (also known as Bluetooth Smart). The vulnerability discussed here extends the set of possible attacking scenarios that were already elaborated before by Mike Ryan at Shmoocon 2013.

Instead of the passive sniffing attack on pairing secrets, we show how an active fraudulent Responder can gracefully bypass passkey authentication, despite it being possibly based on even one-time generated PIN.

Minimal Latency Tunneling (MinimaLT) is a new network protocol that provides ubiquitous encryption for maximal confidentiality, including protecting packet headers. MinimaLT provides server and user authentication, extensive Denial-of-Service protections, and IP mobility while approaching perfect forward secrecy. We describe the protocol, demonstrate its performance relative to TLS and unencrypted TCP/IP, and analyze its protections, including its resilience against DoS attacks [56]. By exploiting the properties of its cryptographic protections, MinimaLT is able to eliminate three-way handshakes and thus create connections faster than unencrypted TCP/IP.